Trend Micro recently came across a botnet that turns an infected system into an involuntary Bitcoin miner. Bitcoin is a digital currency that uses peer-to-peer (P2P) networks to track and verify transactions. Bitcoins are generated by a free Bitcoin miner application.

The malware, detected as BKDR_BTMINE.MNR, installs the mining software in systems. It uses the system’s resources to solve Bitcoin blocks in order to generate more Bitcoins.

A Bitcoin “block” is a complex cryptographic problem. Solving a block currently pays out 50 Bitcoins and blocks are created every time a Bitcoin transaction is made. The process of solving these blocks is called “mining.” The only way to solve a block is by brute forcing, which eats up system resources. To speed up the computation of a block, mining pools are created. The equation is split up into pieces and is solved by multiple systems. The incentive is based on how much a miner contributes to the solution.

Here, BKDR_BTMINE.MNR installs three different mining software that run whatever the system’s processing speed allows. To help speed up processing, the malware downloads necessary drivers for the infected system’s GPU and CPU. If blocks are solved, attackers gain ownership of the generated Bitcoins.

We also found another malware detected as BKDR_BTMINE.DDOS, which is a component of BKDR_BTMINE.MNR. BKDR_BTMINE.DDOS can perform distributed denial of service (DDoS) attacks on targeted entities. The malware can also obtain a list of targeted websites from remote sites. The DDoS component may be used to attack competing Bitcoin miners and can limit their processing power. The malware also tries to communicate with a long list of IP addresses. A list of more than 2,000 IP addresses is hardcoded in the malware and is constantly updated upon execution.

Right now, Bitcoins are worth more than US$8 each. With the value of Bitcoins constantly rising, the number of malware related to Bitcoin mining will inevitably increase as well. Because Bitcoins make use of P2P sharing, the charges incurred are a lot lower compared with transferring money through banks or clearinghouses. In addition, Bitcoin transactions are anonymous and can be used anywhere without limits. Bitcoin usage is gaining popularity in Web transactions because of these advantages, which also raise some security issues. To stay safe, encrypt all wallets as soon as you leave your system. Use a strong, unique password for wallet encryption.

Trend Micro protects product users from this attack via the Smart Protection Network by blocking all related files and URLs.

Share this article

This entry was posted
on
Sunday, September 4th, 2011
at
1:56 am and is filed under
Botnets, Malware .
Both comments and pings are currently closed.

No, its not: Transactions are sticked toghether into a block. If every transaction would result in a new block, the maximum of ~21.000.000 available Bitcoins would probably be already reached.

In addition to this, Bitcoin transactions are anonymous and they can be used anywhere, without limits.

Bitcoin transactions are not anonymous. Every transaction generates a log entry. Since each transaction is bound between two nodes on two Bitcoin addresses, which are reflected also in the log file, the nodes (read: the owners) can be tracked. Someone who posts his Bitcoinadress for example on his blog unmasks his identity by doing so. Bitcoin transactions are at best pseudonymous. This is a huge difference to anonymous. The cash that we use in the form of dollars, euros and yen – THIS is anonymous! 😉